Sample script to dynamically update a policy server cluster
search cancel

Sample script to dynamically update a policy server cluster

book

Article ID: 383243

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

For a dynamic environment, the available policy servers change dynamically.

The web agent supports dynamic policy server cluster with enableDynamicHCO="YES" setting in SmHost.conf file.

But we still need to update the HCO with correct policy servers.

The sample script in this article demonstrates how to use adminUI restAPI to dynamically update the policy server cluster.

Resolution

[Prerequisite]

SiteMinder administrator must find a way to output the currently available list of Policy Server IPs into the hosts.txt file which this sample script will be using as input for new Policy Server list.

AdminUI is required for the RestAPI to work.

 

[Disclaimer]

The provided script is just an example.

Comments and ideas are welcomed.

If further assistance is needed, please open a support ticket.

 

HCO-Update-Cluster.sh

#!/bin/bash
#
# Sample script to use adminUI restAPI to dynamically update the hosts in a cluster (from a hosts list file) of a HCO
#
#set -x


# Configure following variables before run the script
# ====================================
#API_ENDPOINT includes the hco name
#cluster idex -- starts from 0, 0 means first cluster
API_ENDPOINT="https://<adminUI host>:<port>/ca/api/sso/services/policy/v1/SmHostConfigs/<HCO name>"
API_LOGIN_ENDPOINT="https://<adminUI host>:<port>/ca/api/sso/services/login/v1/token"
API_LOGIN_CREDENTIAL="<legacy admin user>:<password>"
CLUSTER_INDEX=0
# ====================================

JSON_FILE="./spshco.json"
NEW_JSON_FILE="./spshconew.json"
#in MY_HOSTS_FILE, IPs or hostnames need to be the first column
MY_HOSTS_FILE="./hosts.txt"
BAK_JSON_FILE="./spshco_$(date +%Y%m%d_%H%M%S).json"



# Get session token from API
get_session_token() {
    local session_response
    session_response=$(curl  -k -s -L -X POST \
                          "${API_LOGIN_ENDPOINT}" \
                          -u "$API_LOGIN_CREDENTIAL")

    if [[ "$session_response" == *"session"* ]]; then
        echo "$session_response" | jq -r .sessionkey
    else
        echo "Failed"
    fi
}



# Get session token
SESSION_TOKEN=$(get_session_token)

if [ "$SESSION_TOKEN" = "Failed" ]; then
  echo "Login failed."
  exit
fi

#export current hco
curl -k -X 'GET' \
  "$API_ENDPOINT" \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer '"$SESSION_TOKEN" > "${JSON_FILE}" 2>/dev/null


#backup old json output
cp $JSON_FILE $BAK_JSON_FILE

#remove dos format eol and empty lines in host list file
sed 's/\r//g' $MY_HOSTS_FILE | sed '/^$/d' > temphosts.txt
HOST_COUNT=$(wc -l temphosts.txt| awk '{print $1}')
#get old host list in clusters[CLUSTER_INDEX]
OLD_HOST_LIST=$(jq '.data.Clusters['$CLUSTER_INDEX']' $JSON_FILE)

if [ $HOST_COUNT -gt 0 ]; then
  #get new host list
  MY_HOST_LIST="\"$HOST_COUNT;"$(awk '{printf "%s,44443;", $1}'  temphosts.txt| sed 's/;$//')";0\""

  # Check if the old host list is the same as the new host list
  if [ "$MY_HOST_LIST" = "$OLD_HOST_LIST" ]; then
    echo "No change on host list"
    exit
  fi

  #update clusters[CLUSTER_INDEX] with new host list
  jq '.data' $JSON_FILE > $NEW_JSON_FILE
  jq '.Clusters['$CLUSTER_INDEX']='"$MY_HOST_LIST" $NEW_JSON_FILE > temp.json && mv temp.json $NEW_JSON_FILE
else
  #the new host list is empty, check if the old host list is null too
  if [ $OLD_HOST_LIST = null ]; then
    echo "No change on host list"
    exit
  fi
  #delete the clusters[CLUSTER_INDEX] if old host list is not empty
  jq '.data' $JSON_FILE > $NEW_JSON_FILE
  jq 'del(.Clusters['$CLUSTER_INDEX'])' $NEW_JSON_FILE > temp.json && mv temp.json $NEW_JSON_FILE
fi
#update hco
curl -k -X 'PUT' \
  "$API_ENDPOINT" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer '"$SESSION_TOKEN" \
  -d @"$NEW_JSON_FILE"

 

Additional Information